当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2014-060452

漏洞标题:墨迹天气登陆逻辑有误导致可以暴力破解

相关厂商:mojichina.com

漏洞作者: 路人甲

提交时间:2014-05-16 10:50

修复时间:2014-06-30 10:51

公开时间:2014-06-30 10:51

漏洞类型:设计缺陷/逻辑错误

危害等级:中

自评Rank:10

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2014-05-16: 细节已通知厂商并且等待厂商处理中
2014-05-19: 厂商已经确认,细节仅向厂商公开
2014-05-29: 细节向核心白帽子及相关领域专家公开
2014-06-08: 细节向普通白帽子公开
2014-06-18: 细节向实习白帽子公开
2014-06-30: 细节向公众公开

简要描述:

登陆的时候 虽然有验证码 但是在后端验证的时候 并没有先验证验证码的正确性

详细说明:

登陆错误超过3次 会有验证码 出现
但是同样可以验证某个用户是否存在
使用网上泄露过的用户名(只用了5W用户) 进行尝试 发现将近1000用户

漏洞证明:

使用几个弱口令 发现以下用户
------------pass 123456 begin
null KECHA@YEAH.NET
null vicroad@gmail.com
null hzpchan@gmail.com
null r_icky@163.com
null zlhacker@sohu.com
null rizhaofeng@126.com
null yujing0369@163.com
null zzhou998@qq.com
null magiceye@163.com
null huang@tom.com
null liu_sijia@126.com
------------pass 123456 end
* ------------pass 111111 begin
null unauthorised@sina.com
null lynnlni@gmail.com
null 936193624@qq.com
------------pass 111111 end
* ------------pass 000000 begin
null lhkzyg@126.com
------------pass 000000 end
* ------------pass 123123 begin
null rzheny@126.com
null dennis1129@163.com
------------pass 123123 end
{"data":{"code":0,"createTime":1388984078000,"email":"vicroad@gmail.com","mobile":null,"msg":null,"nick":"vicroad","sessionId":"C7395399AA198E74BD459E0780782912","snsId":11368777,"snsName":"vicroad@gmail.com","status":"1","type":"0","userId":173956414,"password":"CD5B83B4316436A8B73347A6BD9D4A72","userType":1,"emailStatus":1,"mojiForum":0,"face":"http:\/\/ugcface.moji001.com\/images\/sns_user_face\/2014\/1\/6\/face_113687778233173463481587298.jpg"},"code":0}
{"data":{"code":0,"createTime":1385866116000,"email":"zlhacker@sohu.com","mobile":null,"msg":null,"nick":"yangyang002","sessionId":"E1AA141A81634531A007CAE4D914E3D1","snsId":10102361,"snsName":"zlhacker@sohu.com","status":"1","type":"0","userId":146437603,"password":"CD5B83B4316436A8B73347A6BD9D4A72","userType":1,"emailStatus":1,"mojiForum":0,"face":""},"code":0}
密码虽然是hash值 但是在登陆的时候可以无限尝试 得到明文对应的hash值
{"data":{"code":3,"createTime":null,"email":null,"mobile":null,"msg":"\u5bc6\u7801\u9519\u8bef","nick":null,"sessionId":null,"snsId":null,"snsName":null,"status":null,"type":null,"userId":null,"password":"CD5B83B4316436A8B73347A6BD9D4A72","loginErrNum":93178},"code":0}

修复方案:

修改验证逻辑

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:中

漏洞Rank:6

确认时间:2014-05-19 16:20

厂商回复:

我们已修复登入过程中的验证逻辑,感谢提醒!

最新状态:

暂无